SaTC: CORE: Small: Information Disclosure and Security Policy Design: A Large-Scale Randomization Experiment in Trans-Pacific Region

SaTC：核心：小型：信息披露和安全政策设计：跨太平洋地区的大规模随机实验

• 批准号: 1718600
• 负责人: Andrew Whinston
• 金额: $ 33.08万
• 依托单位: University of Texas at Austin
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-08-01 至 2020-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1718600&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Information; Disclosure

With more prominent data breaches and cybersecurity incidents, cyber insecurity is becoming a serious problem for every individual and the society. Such security incidents are partially due to the lack of relevant governmental polices and the insufficient security protection by organizations managing information assets. The investigators will design an independent Trans-Pacific cybersecurity evaluation institution that measures and reports organizations' security weaknesses. The proposed institution aims at effectively motivating organizations to achieve a desirable level of cybersecurity. An opt-in field experiment with a rigorous design will be employed to empirically evaluate the performance of organizations in the Trans-Pacific region to see how they will respond to the diversified security performance reports of malicious cybercrimes, including spam, phishing, and distributed denial of service (DDoS) attacks. Based on the experimental results, the project will provide practical and credible suggestions to policy makers and companies improve their security preparedness.As methods of data analyses, the researchers will employ potentially useful theoretical and empirical models: (i) a model that allows endogenous experiments, (ii) static and dynamic models with strategic interaction between defenders and attackers, and (iii) a cyber-insurance and reinsurance model which utilizes the PIs' comprehensive security evaluation metric. The PIs will estimate the policy relevant parameters in these models using both experimental and observational data. In addition to the existing dataset on defenders, important data sets that have been collected and will be used in the analyses of the data for attackers, such as data for phishing activity, outgoing spam mails, and real time DDoS information. Since the PIs seek to recover flexible heterogeneous effects of policies, as cybersecurity data typically exhibit a great deal of heterogeneity, they introduce semi-parametric identification and estimation methods developed in the recent econometrics literature. This work contributes to the literature on randomized field experiments in several ways: (i) to identify the problem of endogeneity in randomized field experiments due to the existence of external impact; (ii) in the context of cybersecurity, to redesign a previous experiment and by introducing empirical strategies that control for endogeneity using novel datasets on the attackers; (iii) to recover fully heterogeneous effects of treatments, which departs from a simple and restricted approach commonly taken in the literature; (iv) as some of the datasets are of high frequency (e.g., DDoS real time attack), to develop estimation methods that deal with big data issues. Theoretical models of this project contribute to cybersecurity literature by following novel features: (i) a dynamic cybersecurity game in the continuous-time framework by using stochastic analysis; (ii) a cyber-insurance model with reinsurance opportunity, and specification of the role of governments as the ultimate excessive risk taker, and a method for governments to control organization's cybersecurity investment level by altering the premium.

随着数据泄露和网络安全事件的日益突出，网络不安全正在成为每个人和社会的严重问题。此类安全事件的部分原因是缺乏相关的政府政策以及管理信息资产的组织的安全保护不足。调查人员将设计一个独立的跨太平洋网络安全评估机构，衡量和报告组织的安全弱点。拟议的机构旨在有效激励各组织实现理想的网络安全水平。将采用具有严格设计的选择性现场实验，以实证方式评估跨太平洋地区组织的性能，以了解他们将如何应对恶意网络犯罪的多样化安全性能报告，包括垃圾邮件，网络钓鱼和分布式拒绝服务（DDoS）攻击。根据实验结果，本项目将为政策制定者和企业提供切实可行的建议，以提高其安全防范能力。作为数据分析方法，研究人员将采用潜在有用的理论和经验模型：（i）允许内源性实验的模型，（ii）防御者和攻击者之间具有策略交互的静态和动态模型，以及（iii）利用PI的综合安全评估指标的网络保险和再保险模型。PI将使用实验和观测数据估计这些模型中的政策相关参数。除了现有的防御者数据集之外，还收集了重要的数据集，这些数据集将用于分析攻击者的数据，例如网络钓鱼活动数据、外发垃圾邮件数据和真实的DDoS信息。由于PI寻求恢复政策的灵活异质效应，而网络安全数据通常表现出很大的异质性，因此他们引入了最近计量经济学文献中开发的半参数识别和估计方法。这项工作有助于随机现场实验的文献在几个方面：（一）确定随机现场实验中的问题，由于外部影响的存在;（二）在网络安全的背景下，重新设计以前的实验，并通过引入经验策略，控制使用新的数据集对攻击者的内隐攻击;（iii）恢复处理的完全异质性效应，这与文献中通常采用的简单且受限的方法不同;（iv）由于一些数据集具有高频率（例如，DDoS真实的时间攻击），以开发处理大数据问题的估计方法。该项目的理论模型通过以下新特征对网络安全文献做出了贡献：（i）通过使用随机分析在连续时间框架中进行动态网络安全博弈;（ii）具有再保险机会的网络保险模型，以及政府作为最终过度风险承担者的角色的规范，以及政府通过改变保费来控制组织的网络安全投资水平的方法。